API Authentication
How to authenticate our API?
All requests must be signed, allowing the identification of the sender and preventing impersonation attacks. For this purpose, a public identifier, a secret key, and a resource identifier are provided to interact with the server.
- Key: This is the public identifier of the request sender.
- Secret: This is the secret key used to sign requests and should never be included in them.
- Resource: This is an identifier associated with the sender's configuration that allows integrating all solutions with a single identifier/secret key pair.
These three parameters should be configurable in the client's integration to allow modifications.
These parameters, especially the secret, may vary between integration environments. In other words, they will have different values in production, which is why it is important that they are configurable in your application.
The secret will be used to digitally sign API requests and thus will never travel with the requests. It is important to store this value securely and never share it with anyone, in addition to preventing it from being a public value.
For requests that contain a body (i.e., POST, DELETE, PUT, …), the signature consists of performing an hmac hash in hexadecimal of the request body using any of the algorithms supported by our system: sha256 or sha512, and including it in the Content-Signature header.
Examples
import requests
import json
import hashlib
import hmac
body = {
"key": "589365da65c48cff87d0874a",
"mode": "sha256",
"resource": "359ef8ce5c5f4003b71692e446908c27",
"nonce": "1234567890",
"payload": {
"param1": "value1",
"param2": "value2"
}
}
secret = b'api-secret'
sign = hmac.new(secret, json.dumps(body).encode('utf-8'), hashlib.sha256).hexdigest()
url = 'https://dummy.es/'
response = requests.post(url, data=body, headers={'Content-signature': sign})
What environments do we have?
Our integration consists of two steps. First, you will perform the technical implementation in the testing environment, also known as sandbox. After conducting the necessary tests in the sandbox environment, you can move to the production environment, known as live.
| Sandbox Environment | URL |
|---|---|
| API URL | https://sandbox.sipay.es/ |
| Production Environment | URL |
|---|---|
| API URL | https://live.sipay.es/ |